mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
Add intel detection for apparently successful logins.
This commit is contained in:
Seth Hall
parent
5921a68e91
commit
ebacb80d1c
1 changed files with 13 additions and 12 deletions
|
|
@ -19,6 +19,11 @@ export {
|
||||||
## currently implemented.
|
## currently implemented.
|
||||||
Login_By_Password_Guesser,
|
Login_By_Password_Guesser,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
redef enum Intel::Where += {
|
||||||
|
## An indicator of the login for the intel framework.
|
||||||
|
SSH::SUCCESSFUL_LOGIN,
|
||||||
|
};
|
||||||
|
|
||||||
## The number of failed SSH connections before a host is designated as
|
## The number of failed SSH connections before a host is designated as
|
||||||
## guessing passwords.
|
## guessing passwords.
|
||||||
|
|
@ -33,10 +38,6 @@ export {
|
||||||
## heuristic fails and this acts as the whitelist. The index represents
|
## heuristic fails and this acts as the whitelist. The index represents
|
||||||
## client subnets and the yield value represents server subnets.
|
## client subnets and the yield value represents server subnets.
|
||||||
const ignore_guessers: table[subnet] of subnet &redef;
|
const ignore_guessers: table[subnet] of subnet &redef;
|
||||||
|
|
||||||
## Tracks hosts identified as guessing passwords.
|
|
||||||
global password_guessers: set[addr]
|
|
||||||
&read_expire=guessing_timeout+1hr &synchronized &redef;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event bro_init()
|
||||||
|
|
@ -46,10 +47,15 @@ event bro_init()
|
||||||
$measure=set(Metrics::SUM),
|
$measure=set(Metrics::SUM),
|
||||||
$threshold=password_guesses_limit,
|
$threshold=password_guesses_limit,
|
||||||
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = {
|
$threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) = {
|
||||||
|
# Generate the notice.
|
||||||
NOTICE([$note=Password_Guessing,
|
NOTICE([$note=Password_Guessing,
|
||||||
$msg=fmt("%s appears to be guessing SSH passwords (seen in %.0f connections).", index$host, val$sum),
|
$msg=fmt("%s appears to be guessing SSH passwords (seen in %.0f connections).", index$host, val$sum),
|
||||||
$src=index$host,
|
$src=index$host,
|
||||||
$identifier=cat(index$host)]);
|
$identifier=cat(index$host)]);
|
||||||
|
# Insert the guesser into the intel framework.
|
||||||
|
Intel::insert([$host=index$host,
|
||||||
|
$meta=[$source="local",
|
||||||
|
$desc=fmt("Bro observed %0.f apparently failed SSH connections.", val$sum)]]);
|
||||||
}]);
|
}]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -57,14 +63,9 @@ event SSH::heuristic_successful_login(c: connection)
|
||||||
{
|
{
|
||||||
local id = c$id;
|
local id = c$id;
|
||||||
|
|
||||||
# TODO: This is out for the moment pending some more additions to the
|
Intel::seen([$host=id$orig_h,
|
||||||
# metrics framework.
|
$conn=c,
|
||||||
#if ( id$orig_h in password_guessers )
|
$where=SSH::SUCCESSFUL_LOGIN]);
|
||||||
# {
|
|
||||||
# NOTICE([$note=Login_By_Password_Guesser,
|
|
||||||
# $conn=c,
|
|
||||||
# $msg=fmt("Successful SSH login by password guesser %s", id$orig_h)]);
|
|
||||||
# }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
event SSH::heuristic_failed_login(c: connection)
|
event SSH::heuristic_failed_login(c: connection)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue